def test_OktaOpenVPNValidator_run(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
tmp = tempfile.NamedTemporaryFile()
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
'assert_pin': self.herokuapp_dot_com_pin,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.run()
self.assertTrue(validator.user_valid)
tmp.file.seek(0)
rv = tmp.file.read()
self.assertEquals(rv, '1')
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_control_file_directory_has_bad_permissions(self):
cfg = self.config
tmp_dir = tempfile.mkdtemp()
tmp = tempfile.NamedTemporaryFile(dir=tmp_dir)
os.chmod(tmp_dir, 0777)
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
'assert_pin': self.herokuapp_dot_com_pin,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
msgs = self.expected_messages
msgs.append('directory containing')
self.assertRaises(ControlFilePermissionsError, validator.run)
last_error = self.okta_log_messages['critical'][-1:][0]
for msg in msgs:
self.assertIn(msg, last_error)
tmp.close()
os.rmdir(tmp_dir)
def test_control_file_directory_has_bad_permissions(self):
cfg = self.config
tmp_dir = tempfile.mkdtemp()
tmp = tempfile.NamedTemporaryFile(dir=tmp_dir)
os.chmod(tmp_dir, 0777)
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
'assert_pin': self.herokuapp_dot_com_pin,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
msgs = self.expected_messages
msgs.append('directory containing')
self.assertRaises(ControlFilePermissionsError, validator.run)
last_error = self.okta_log_messages['critical'][-1:][0]
for msg in msgs:
self.assertIn(msg, last_error)
tmp.close()
os.rmdir(tmp_dir)
def test_okta_verify_push_int(self, patched_time_sleep):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
'mfa_push_max_retries': int(20),
'mfa_push_delay_secs': int(11),
}
env = MockEnviron({
'common_name': '*****@*****.**',
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
validator.authenticate()
for call in patched_time_sleep.call_args_list:
args, kwargs = call
for arg in args:
import pprint
pprint.pprint(arg)
msg = "time.sleep() must be called with a float not %s"
assert isinstance(arg, float), msg % type(arg)
patched_time_sleep.assert_called_with(11)
def test_OktaOpenVPNValidator_run(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
tmp = tempfile.NamedTemporaryFile()
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
'assert_pin': self.herokuapp_dot_com_pin,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.run()
self.assertTrue(validator.user_valid)
tmp.file.seek(0)
rv = tmp.file.read()
self.assertEquals(rv, '1')
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_okta_url_no_token(self):
cfg = {"okta_url": self.okta_url}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
self.assertEquals(rv, False)
last_error = self.okta_log_messages["critical"][-1:][0]
self.assertIn("OKTA_TOKEN not defined", last_error)
def test_no_username_or_password(self):
cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages["warning"][-1:][0]
self.assertIn("is not trusted - failing", last_error)
def test_authenticate_handles_exceptions(self):
cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token}
env = MockEnviron({"common_name": self.config["username"], "password": self.config["password"]})
validator = OktaOpenVPNValidator()
validator.cls = ThrowsErrorOktaAPI
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages["error"][-1:][0]
self.assertIn("authentication failed, because", last_error)
def test_okta_url_no_token(self):
cfg = {
'okta_url': self.okta_url
}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['critical'][-1:][0]
self.assertIn('OKTA_TOKEN not defined', last_error)
def test_with_username_and_password(self):
cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token}
env = MockEnviron({"common_name": self.config["username"], "password": self.config["password"]})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config["assert_pinset"] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages["info"][-1:][0]
self.assertIn("is now authenticated with MFA via Okta API", last_error)
def test_no_username_or_password(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
rv = validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['warning'][-1:][0]
self.assertIn('is not trusted - failing', last_error)
def test_authenticate_handles_exceptions(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.cls = ThrowsErrorOktaAPI
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('authentication failed, because', last_error)
def test_authenticate_handles_exceptions(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.cls = ThrowsErrorOktaAPI
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
rv = validator.authenticate()
self.assertEquals(rv, False)
last_error = self.okta_log_messages['error'][-1:][0]
self.assertIn('authentication failed, because', last_error)
def test_with_username_and_password(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_okta_verify_push_fails(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
'mfa_push_max_retries': 20,
'mfa_push_delay_secs': self.mfa_push_delay_secs,
}
env = MockEnviron({
'common_name': '*****@*****.**',
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, False)
def test_with_username_and_password(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
}
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1:][0]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_okta_verify_push(self):
cfg = {
'okta_url': self.okta_url,
'okta_token': self.okta_token,
'mfa_push_max_retries': 20,
'mfa_push_delay_secs': self.mfa_push_delay_secs,
}
env = MockEnviron({
'common_name': '*****@*****.**',
'password': self.config['password']
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.load_environment_variables()
validator.okta_config['assert_pinset'] = [self.herokuapp_dot_com_pin]
rv = validator.authenticate()
self.assertEquals(rv, True)
last_error = self.okta_log_messages['info'][-1]
self.assertIn('is now authenticated with MFA via Okta API', last_error)
def test_connect_to_unintended_server_writes_0_to_control_file(self):
cfg = self.config
cfg['okta_url'] = 'https://example.com'
tmp = tempfile.NamedTemporaryFile()
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.run()
self.assertFalse(validator.user_valid)
tmp.file.seek(0)
rv = tmp.file.read()
self.assertEquals(rv, '0')
def test_connect_to_unintended_server_writes_0_to_control_file(self):
cfg = self.config
cfg['okta_url'] = 'https://example.com'
tmp = tempfile.NamedTemporaryFile()
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.run()
self.assertFalse(validator.user_valid)
tmp.file.seek(0)
rv = tmp.file.read()
self.assertEquals(rv, '0')
def test_control_file_bad_permissions_permutations(self):
cfg = self.config
modes = [
0606,
0660,
0622,
]
for mode in modes:
tmp = tempfile.NamedTemporaryFile()
os.chmod(tmp.name, mode)
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
'assert_pin': self.herokuapp_dot_com_pin,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
self.assertRaises(ControlFilePermissionsError, validator.run)
tmp.close()
def test_control_file_bad_permissions_permutations(self):
cfg = self.config
modes = [
0606,
0660,
0622,
]
for mode in modes:
tmp = tempfile.NamedTemporaryFile()
os.chmod(tmp.name, mode)
env = MockEnviron({
'common_name': self.config['username'],
'password': self.config['password'],
'auth_control_file': tmp.name,
'assert_pin': self.herokuapp_dot_com_pin,
})
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
self.assertRaises(ControlFilePermissionsError, validator.run)
tmp.close()
def test_OktaOpenVPNValidator_run(self):
cfg = {"okta_url": self.okta_url, "okta_token": self.okta_token}
tmp = tempfile.NamedTemporaryFile()
env = MockEnviron(
{
"common_name": self.config["username"],
"password": self.config["password"],
"auth_control_file": tmp.name,
"assert_pin": self.herokuapp_dot_com_pin,
}
)
validator = OktaOpenVPNValidator()
validator.site_config = cfg
validator.env = env
validator.run()
self.assertTrue(validator.user_valid)
tmp.file.seek(0)
rv = tmp.file.read()
self.assertEquals(rv, "1")
last_error = self.okta_log_messages["info"][-1:][0]
self.assertIn("is now authenticated with MFA via Okta API", last_error)
